BAKGRUNN (fra kommisjonsforordningen) 

(1) Regulation (EU) 2023/1115 lays down rules to minimise the Union’s contribution to deforestation and forest degradation. It does this by imposing due diligence obligations on operators and traders placing on, making available on, or exporting from the Union market certain commodities and products. Where reference is made to operators in this Regulation, it should be understood as referring also to non-SME traders making relevant products available on the market if the provisions in this Regulation are generally applicable to them in accordance with their obligations under Regulation (EU) 2023/1115, specifically Article 5(1) thereof.

(2) Operators formally take responsibility for the compliance of the relevant products that they intend to place on the market or export by making available due diligence statements (‘Due Diligence Statements’).

(3) It is necessary to develop an Information System and provide access to it to operators and traders, and if applicable, their authorised representatives, competent authorities, and customs authorities, to implement their respective obligations laid down in Regulation (EU) 2023/1115. The Information System should facilitate the transfer of information between Member States competent authorities, and customs authorities.

(4) The Information System should be a software application based on the TRACES platform established by Regulation (EU) 2017/625 of the European Parliament and of the Council (2), to be developed and maintained by the Commission.

(5) Therefore, it is necessary to set out the practical and operational arrangements of the functioning of the Information System to facilitate effective and harmonised implementation and enforcement of Regulation (EU) 2023/1115.

(6) In order to overcome language barriers, the Information System should be available in all official languages of the Union. To that end, the Commission should translate the user interface of the Information System to all official languages of the Union.

(7) In order to fulfil their obligations and tasks under Regulation (EU) 2023/1115, operators, traders, competent authorities, customs authorities, and the Commission may need to exchange information which may include personal data. Any such exchange of information should comply with the rules on the protection of personal data laid down in Regulations (EU) 2016/679 (3) and (EU) 2018/1725 (4) of the European Parliament and of the Council. Accordingly, the exchange of personal data necessary to comply with the obligations and to fulfil the tasks laid down in Regulation (EU) 2023/1115 falls within the scope of the lawful processing of data pursuant to Article 5(1), point (a) of Regulation (EU) 2018/1725, and Article 6(1), point (e) of Regulation (EU) 2016/679.

(8) The Information System should be used to support the operators, traders and the competent authorities in presenting and accessing the necessary information on relevant products placed or made available on the market or exported. Personal data which may be exchanged via the Information System should only be processed for the purpose of fulfilling obligations and tasks under Regulation (EU) 2023/1115. Where personal data is processed in the operation of the Information System for the purpose to fulfil obligations and tasks under Regulation (EU) 2023/1115, operators and traders, and if applicable, their authorised representatives, competent authorities, and customs authorities should be controllers within the meaning of Regulation (EU) 2016/679 and the Commission should be a controller within the meaning of Regulation (EU) 2018/1725 for the processing activities they carry out. The competent authorities and customs authorities should be joint controllers within the meaning of Regulation (EU) 2016/679 for the processing activities when they carry out tasks in cooperation pursuant to Article 21 of Regulation (EU) 2023/1115.

(9) The processing, transmission, storage, and other processing of personal data of natural persons should take place in the Information System, for the purpose of fulfilling obligations and tasks under Regulation (EU) 2023/1115.

(10) The Information system should process personal data insofar as strictly necessary for the purpose of fulfilling obligations under Regulation (EU) 2023/1115. The Information System should only process the categories of personal data listed in Article 12(2) of this Implementing Regulation.

(11) The Information System should not store the personal data submitted by the Information System users in a form which permits identification of data subjects longer than strictly necessary for the purposes for which the personal data are processed. This period should be 10 years from the date the Due Diligence Statement is submitted through the information system, taking into account manufacturing processes over a long period of time to allow operators and traders, and if applicable, their authorised representatives, to reference existing Due Diligence Statements pursuant to Article 33(2)(c) of Regulation (EU) 2023/1115 and fulfil their obligations to ascertain that due diligence relating to the relevant products contained in or made from the relevant products was exercised pursuant to Article 4(9) of Regulation (EU) 2023/1115. A longer storage and processing of personal data should be possible where necessary to fulfil the individual responsibilities and obligations of Information System actors set out in Regulation (EU) 2023/1115.

(12) The Commission should provide access to the wider public to the datasets of the Information System in a completely anonymised and machine-readable open format in line with the Union’s Open Data Policy, which shall be established in form of properly aggregated and anonymised datasets which should be accessible on the Commission’s website.

(13) Following the protection-by-design and by-default principles, the Information System should be developed and designed with due respect to the requirements of data protection legislation, in particular due to restrictions imposed on access to personal data exchanged in the Information System. Therefore, the Information System should offer a considerably higher level of protection and security than other methods of information exchange, such as telephone, regular mail, or electronic mail.

(14) The Commission should supply and manage the software and IT infrastructure of the Information System, ensure its reliability, security, availability, maintenance and operation, and be involved in the training of and technical assistance to Information System actors and users. The Information System should allow for an effective data exchange with relevant systems and data sources of Commission Services.

(15) Member States should be able to adapt their functions and responsibilities in relation to the Information System to reflect their internal administrative structures, and to implement in the Information System a specific type of work or order of stages in a given work process while respecting their obligations arising from Chapter 3 of Regulation (EU) 2023/1115.

(16) To facilitate the effective implementation of Regulation (EU) 2023/1115 the competent authorities should be able to perform actions within the Information System to ensure compliance with that Regulation, including risk profiling for the plan of checks referred to in Article 16(5) of Regulation (EU) 2023/1115, results of checks on operators and traders, suspending the issuance of reference numbers assigned to the Due Diligence Statements, and in case of non-rectifiable and non-compliance to reject the concerned Due Diligence Statements. Pursuant to Article 16(1) of Regulation (EU) 2023/1115 which foresees that competent authorities carry out checks within their territory, competent authorities should be able to act on the Due Diligence Statements for which information is provided in the Information System by Information System users regarding the Member State where a product enters or leaves or is made available on the Union market. In the absence of such information, competent authorities should be able to act on the Due Diligence Statements of the Information System users established in or associated with their Member State.

(17) Information received by the competent authority, customs authority, the Commission, or any other authority that has been granted access to the information through the Information System from another competent authority, customs authority, the Commission or another such authority should not be deprived of its value as evidence in criminal, civil or administrative proceedings in accordance with relevant Union and national law solely on the ground that it originated in another Member State, or was received by electronic means. Such information should be treated by relevant Information System users in the same way as similar documents originating in its Member State.

(18) It should be possible to process the name and contact details of Information System users where necessary to fulfil the objectives and obligations of Regulation (EU) 2023/1115 and of this Regulation, including monitoring the use of the Information System by Information System administrators and Information System users, communication, training and awareness-raising initiatives, and gathering information in connection with the scope of Regulation (EU) 2023/1115, or mutual assistance under that Regulation.

(19) In order to ensure the effective monitoring of, and reporting on, the functioning of the Information System, the competent authorities, customs authorities, or other authorities that have been granted access to the Information System should make relevant information available to the Commission where such information is necessary for the Commission to fulfil its obligations under Regulation (EU) 2023/1115 and under this Regulation.

(20) Data subjects should be informed about the processing of their personal data in the Information System and the rights they benefit from in accordance with Regulation (EU) 2016/679 and Regulation (EU) 2018/1725, in particular the right of access to data relating to them, and the right to have inaccurate data corrected and illegally processed data erased.

(21) Each Information System user, as controller with respect to the data processing activities that it performs in connection within the scope of Regulation (EU) 2023/1115 should ensure that data subjects can exercise their rights in accordance with Regulation (EU) 2016/679 and Regulation (EU) 2018/1725. This should include establishing a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.

(22) The implementation of this Regulation and the performance of the Information System should be monitored in the report on the functioning of the Information System based on statistical data from the Information System and any other relevant data. The Commission should submit the report to the European Parliament, the Council and the European Data Protection Supervisor. The report should also address aspects relating to the protection of personal data in Information System, including data security.

(23) The European Data Protection Supervisor has been consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725, and delivered an opinion on 5 November 2024.

(24) The measures provided for in this Regulation are in accordance with the opinion of the European Union (EU) Deforestation-free Regulation Committee